1. Field of the Invention
The present invention relates to the secure transfer of applications and/or data onto a chipcard which has a memory with a file structure. The method of the invention limits the use of commands and security codes to subdomains such as one or more directories of the file structure. This limits transfer of an application to an inappropriate directory where it could do inadvertent or intentional harm. It also allows the prevention of misuse of security codes.
2. Description of the Related Art
Since the mid eighties, chipcard applications have increased in areas of everyday life. This success is based fundamentally on their high levels of manipulation security code and their reliability. In addition, chip technology guarantees high levels of flexibility for a number of applications.
The manufacture of chipcards up to the point where they can be issued to a user is described in Rankl/Effing: Handbuch der Chipkarten (The Chipcard Handbook), Karl Hanser Verlag, 1996. After a module with the semi-conductor chip is embedded into the card, global data and personal data on the future card user is then loaded onto the chipcard. Through this, manufacturers of chipcards are increasingly frequently loading several applications onto the chipcard at the same time.
The internal structure of the chipcard basically conforms to the ISO 7816-4 norm. Usually, the data which belong to an application are placed in files which can be found in an application directory. The files and application directories are transferred by the card manufacturer onto the chip card. If a new application from an application supplier is now to be transferred onto a chipcard already issued, then particular attention must be paid to the chipcard security code system. This particularly applies to applications which are not under the control of the card manufacturer.
If one supposes that the application supplier has an interest in spying on data from the manufacturer or other application suppliers or using their security code systems, in particular cryptographic keys, then the task involves preventing this spying by the application supplier.
In a known procedure, commands which could be used to create files and application directories on the chipcard are certified by the manufacturer of the chipcard. This is done by, for example, appending a MAC--message authentication code. In this, using a cryptographic key belonging to the manufacturer, an individual MAC is added to the command to be used and appended to the command. This process is carried out by a cryptographic installation which the manufacturer has made available to the application supplier. The installation converts the command into a form acceptable to the chipcard.
The disadvantage of this known procedure is that the command created by the cryptographic installation can still be used in a directory in which its use had not been foreseen. This is possible as the commands rely on previous selection commands with unlimited access to different directories. Thus data and/or cryptographic keys belonging to the manufacturer or other application suppliers can be overwritten or changed.
There is an additional problem when applications from one application supplier are to be transferred at a later date onto a chipcard already issued. If the manufacturer allows the application supplier to create new files, this can be exploited by the application supplier in order to spy on cryptographic keys. When creating new files and the rights of access associated with them, it is possible to place the rights of access in such a way that on reading data from the file and/or writing data to a file, reference is made to the manufacturer's cryptographic key. In this, the manufacturer of the chipcard can be misrepresented as being the sender of data, although it was actually the application supplier.
The instant invention provides a method for securely loading applications onto a chipcard which has been already issued.
To accomplish this security, the method of the invention allows a command to only be used in at least one subdomain of a common file structure, where the file structure and the changed file structure are included in the common file structure.
The most important advantage achieved by the invention with regard to the current state of technology is the guarantee of secure loading of a multitude of different applications onto a chipcard which has already been issued and where the applications of independent application suppliers can be loaded. Each application supplier can only use the command certified for him by the manufacturer in a certain area of the chipcard and thus does not have the possibility of accessing subdomains of the chipcard memory which are reserved either for other application suppliers or exclusively for the manufacturer.
A further advantage of the invention is that by limiting the usability of cryptographic keys, their use can be controlled by the chipcard manufacturer.
When the invention is correctly implemented, at least one level of security code is used, in particular a cryptographic key and/or a password. The use of this type of security code guarantees improved security code standards on transferring applications onto the chipcard.
Advantages can be seen in that the security code is only used in at least one subdomain of the file structure, where the risk of erroneous use of security code in other subdomains of the common file structure is reduced.
In one embodiment of the invention, the command and/or security code will each have at least one identifier allocated to it. An identifier has the advantage that it can be flexibly adapted to the respective conditions of use. If the manufacturer wants to make available a certain command and/or security code to several application suppliers, then this can be done using the identifier without great effort.
Advantages can be seen in that the identifier shows whether the command and/or security code can be used in the subdomain of the common file structure. This helps avoid the misuse of commands and/or security code in application directories of the chipcard where their use has not been foreseen.
One advantageous form of the invention appears in the identifier of the command and/or the identifier of the security code being given before the command and/or the security code is used in the subdomain of the common file structure. This stage in the process opens up the option of deciding on subsequent procedural stages which are dependent on the identifier, before the command and/or the security code being used is started.
The use of the command and/or security code in the subdomain of the common file structure can be purposely excluded when the identifier of the command and/or security code shows that the command and/or security code cannot be used in the subdomain of the common file structure. In this, the misuse of a command and/or a security code in the subdomain can be avoided. This is carried out advantageously before any data manipulation can be started by means of the command and/or security code.
In another embodiment of the invention, the identifier is allocated to a subdomain of the common file structure, which allows the manufacturer to certify for an application supplier, several commands and/or security codes for this subdomain. In this case, one identifier with the necessary information will be allocated once to the subdomain. This saves a number of procedural stages in the identification of the several commands and/or security codes.
It is an advantage this embodiment of the invention, that the command and/or security code is stored in the subdomain of the common file structure where use of the command and/or the security code has been foreseen. Having foreseen use, such use can be permitted or proscribed by the identifier as required for system security.